From ef0283a0d7ea693662fd2ec83d62c6e4ca5f2ed3 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Sun, 25 Oct 2015 13:58:09 +0000 Subject: main/musl: fix single-byte overflow of malloc'd buffer in getdelim from upstream: http://git.musl-libc.org/cgit/musl/commit/?id=b114190b29417fff6f701eea3a3b3b6030338280 --- main/musl/APKBUILD | 6 +++++- main/musl/fix-single-byte-overflow.patch | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 main/musl/fix-single-byte-overflow.patch (limited to 'main/musl') diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD index a6075980df..f0691874aa 100644 --- a/main/musl/APKBUILD +++ b/main/musl/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Timo Teräs pkgname=musl pkgver=1.1.12 -pkgrel=0 +pkgrel=1 pkgdesc="the musl c library (libc) implementation" url="http://www.musl-libc.org/" arch="all" @@ -12,6 +12,7 @@ depends_dev="!uclibc-dev" makedepends="$depends_dev" subpackages="$pkgname-dev $pkgname-utils $pkgname-dbg libc6-compat:compat" source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz + fix-single-byte-overflow.patch ldconfig __stack_chk_fail_local.c @@ -128,18 +129,21 @@ compat() { } md5sums="42875e0c111aa1cb9d08663f8d42c799 musl-1.1.12.tar.gz +9aeeaaa70c75608e0b3ed6b6de5b3a37 fix-single-byte-overflow.patch 830d01f7821b978df770b06db3790921 ldconfig 0df687757221bbb0fc1aa67f1bd646f9 __stack_chk_fail_local.c 57ef2c63b9ec6a2041694ace97d4ffa2 getconf.c 2b941c4251cac44988a4abfc50e21267 getent.c 45f92f8d59cf84d765de698a9578dbf4 iconv.c" sha256sums="720b83c7e276b4b679c0bffe9509340d5f81fd601508e607e708177df0d31c0e musl-1.1.12.tar.gz +370daa951d0547dc77d699945e5f49eb941516ead5aee51c5e9ca30061c7c5f8 fix-single-byte-overflow.patch b4a2c06db38742e8c42c3c9838b285a7d8cdac6c091ff3df5ff9a15f1e41b9c7 ldconfig 299a7d75a09de3e2e11e7fb4acc3182e4a14e868093d2f30938fce9bfcff13da __stack_chk_fail_local.c d87d0cbb3690ae2c5d8cc218349fd8278b93855dd625deaf7ae50e320aad247c getconf.c 68373a55e89ce85c562d941ccf588337d6cc6c9c17689d695f65cd7607134bbe getent.c f79a2930a2e5bb0624321589edf8b889d1e9b603e01e6b7ae214616605b3fdd7 iconv.c" sha512sums="7cabbe2665e32bd3408c8865f89f474106e982b4e5de81d0cdeea19e19e20b4d2496faf1adc6b2811d996f30f39258184ba347e8eb5f3811eab89179e8f52d70 musl-1.1.12.tar.gz +75e5c98a27924ed6a2ce5113f56ecff2774506a82c2ad65c815998083ef812d9a36e61e270a40b29b436ca91cf28563a7138f6eb5f206bbd1422eeae0346012c fix-single-byte-overflow.patch 8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f ldconfig 062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b __stack_chk_fail_local.c 0d80f37b34a35e3d14b012257c50862dfeb9d2c81139ea2dfa101d981d093b009b9fa450ba27a708ac59377a48626971dfc58e20a3799084a65777a0c32cbc7d getconf.c diff --git a/main/musl/fix-single-byte-overflow.patch b/main/musl/fix-single-byte-overflow.patch new file mode 100644 index 0000000000..ffc5b3551c --- /dev/null +++ b/main/musl/fix-single-byte-overflow.patch @@ -0,0 +1,32 @@ +From b114190b29417fff6f701eea3a3b3b6030338280 Mon Sep 17 00:00:00 2001 +From: Rich Felker +Date: Sat, 24 Oct 2015 22:42:10 -0400 +Subject: fix single-byte overflow of malloc'd buffer in getdelim + +the buffer enlargement logic here accounted for the terminating null +byte, but not for the possibility of hitting the delimiter in the +buffer-refill code path that uses getc_unlocked, in which case two +additional bytes (the delimiter and the null termination) are written +without another chance to enlarge the buffer. + +this patch and the corresponding bug report are by Felix Janda. +--- + src/stdio/getdelim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c +index a88c393..3077490 100644 +--- a/src/stdio/getdelim.c ++++ b/src/stdio/getdelim.c +@@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric + for (;;) { + z = memchr(f->rpos, delim, f->rend - f->rpos); + k = z ? z - f->rpos + 1 : f->rend - f->rpos; +- if (i+k >= *n) { ++ if (i+k+1 >= *n) { + if (k >= SIZE_MAX/2-i) goto oom; + *n = i+k+2; + if (*n < SIZE_MAX/4) *n *= 2; +-- +cgit v0.11.2 + -- cgit v1.2.3